Your SlideShare is downloading. ×
0
Hardening Plone, a military-strength CMS
Hardening Plone, a military-strength CMS
Hardening Plone, a military-strength CMS
Hardening Plone, a military-strength CMS
Hardening Plone, a military-strength CMS
Hardening Plone, a military-strength CMS
Hardening Plone, a military-strength CMS
Hardening Plone, a military-strength CMS
Hardening Plone, a military-strength CMS
Hardening Plone, a military-strength CMS
Hardening Plone, a military-strength CMS
Hardening Plone, a military-strength CMS
Hardening Plone, a military-strength CMS
Hardening Plone, a military-strength CMS
Hardening Plone, a military-strength CMS
Hardening Plone, a military-strength CMS
Hardening Plone, a military-strength CMS
Hardening Plone, a military-strength CMS
Hardening Plone, a military-strength CMS
Hardening Plone, a military-strength CMS
Hardening Plone, a military-strength CMS
Hardening Plone, a military-strength CMS
Hardening Plone, a military-strength CMS
Hardening Plone, a military-strength CMS
Hardening Plone, a military-strength CMS
Hardening Plone, a military-strength CMS
Hardening Plone, a military-strength CMS
Hardening Plone, a military-strength CMS
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Hardening Plone, a military-strength CMS

2,664

Published on

Talk given by Kim Chee Leong and Kees Hink at the 2009 Plone Conference in Budapest (PloneConf2009)

Talk given by Kim Chee Leong and Kees Hink at the 2009 Plone Conference in Budapest (PloneConf2009)

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,664
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
28
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Hardening Plone A Military-Strength CMS
  • 2. Hardening Plone Hardening the Plone stack A Military-Strength CMS A Military-Strength CMS and its infrastructure 2
  • 3. Class rules ● Feel free to ask questions 3
  • 4. About us ● Kees Hink ● Plone developer since January 2008 ● Kim Chee Leong ● Plone developer since May 2007 4
  • 5. Introduction ● This talk is about: ● Making the Plone stack even more secure ● Not much about Plone itself ● How to get others to acknowledge that it's secure ● For who? ● New to Plone ● Marketing ● Developers 5
  • 6. Overview of sections ● Why security? ● Our use case ● Plone ● Infrastructure ● Audits (and feedback) 6
  • 7. The internet is evil ● Have to protect against: ● Cross site scripting ● Unencrypted connections ● Spoofing ● Password cracking ● Mail interception ● Server hacking ● SQL injection 7
  • 8. SQL Injection Comic by XKCD: http://xkcd.com/327/ 8
  • 9. Our use case ● Two portals: ● Plone as a DMS for online collaboration – Largely standard Plone – Alternative to Sharepoint – Sensitive data ● Plone as a user friendly file upload system – Document upload by suppliers – User friendly upload 9
  • 10. Security of default Plone ● Plone (Zope) is pretty secure by default ● Quantitative comparison: – Track number of hits on Google – See nr. of vulnerabilities in the National Vulnerability Database ● Qualititative comparison: – See article “security overview of plone” on plone.org 10
  • 11. Small Plone modifications ● Disable self- registration ● Workflow + permissions ● Additional Products – Aagje (activity log) – LoginLockout 11
  • 12. How to protect? ● Let's start with a secure location 12
  • 13. Infrastructure ● Secure hosting ● Trusted hosting partner ● Secure hosting ● Dedicated servers ● Operating system ● Security updates ● Company procedures ● Who has access? 13
  • 14. ● Only HTTPS port is opened to the internet ● VPN-only access for all except HTTPS 14
  • 15. Infrastructure: OS ● Modifications on Debian Linux to enhance security – Different system user for each Zope instance – Regular security update – Tighten filesystem permissions 15
  • 16. Infrastructure: Web server ● Apache – HTTPS – Get an SSL certificate (Thawte, VeriSign) – No rewrite rule for Zope root – Keep log files 16
  • 17. SSL certificate 17
  • 18. Just to keep your attention 18 http://xkcd.com
  • 19. Audits ● Document your procedures ● We are using parts of ITIL ● Get audits ● Technical audit ● Process audit 19
  • 20. Technical security audit ● Done by 3rd party ● They have a checklist ● They report back in a structured way ● Black box audit ● From outside, on Plone portal ● Crystal box audit ● On server, with root access ● Check user permissions, etc. 20
  • 21. Recommendations for Plone ● Plone itself is pretty secure ● Modifications: ● Quota (file upload limit) ● Cookie settings (HTTPOnly, Secure), fixed with Apache ● And, of course: ● disable self-registration, check workflow, permissions, use LoginLockout 21
  • 22. Recommendations outside Plone ● Modifications: ● Use HTTPS only (no redirects from HTTP) ● Paranoid user permission restrictions ● Caching header control ● And, of course: ● secure hosting, VPN, security updates, etc. 22
  • 23. Technical audit final result ● We implemented these recommendations for the next audit, which was tested again and approved: 23
  • 24. Process security audit ● Done by our client's accountants ● Check processes: ● Talk about our server management documents (esp. security-related) ● Talk about certification of hosting partner ● Talk to technical auditing party ● Talk to us, again... 24
  • 25. Recommendations for Plone ● Confidentiality and user agreement 25
  • 26. Process audit final result ● We passed! 26 Image by Getty images
  • 27. Wrapping up ● Done: ● Think about how to secure our existing setup even more ● Have specialists check our setup + procedures ● Implement their recommendations ● Result: Plone is officially 100% secure. 27
  • 28. Remaining questions? 28

×